chore(hardening): tighten security and footprint defaults
This commit is contained in:
17
.github/workflows/check.yml
vendored
17
.github/workflows/check.yml
vendored
@@ -111,6 +111,8 @@ jobs:
|
||||
|
||||
- name: Install Rust toolchain
|
||||
uses: dtolnay/rust-toolchain@stable
|
||||
with:
|
||||
components: rustfmt, clippy
|
||||
|
||||
# Cache the Cargo target dir + registry per OS so the heavy
|
||||
# whisper-rs-sys C++ build only happens on a clean cache.
|
||||
@@ -128,12 +130,24 @@ jobs:
|
||||
- name: cargo check (workspace)
|
||||
run: cargo check --workspace --all-targets
|
||||
|
||||
- name: cargo fmt
|
||||
run: cargo fmt --all -- --check
|
||||
|
||||
- name: cargo clippy
|
||||
run: cargo clippy --workspace --all-targets -- -D warnings
|
||||
|
||||
# Library tests only — no runtime/GPU deps. Linux-gated to keep
|
||||
# the macOS + Windows legs focused on compile coverage.
|
||||
- name: cargo test (workspace, libs)
|
||||
if: matrix.os == 'ubuntu-22.04'
|
||||
run: cargo test --workspace --lib
|
||||
|
||||
- name: cargo audit
|
||||
if: matrix.os == 'ubuntu-22.04'
|
||||
run: |
|
||||
cargo install cargo-audit --locked
|
||||
cargo audit
|
||||
|
||||
frontend:
|
||||
name: svelte build + lint
|
||||
runs-on: ubuntu-22.04
|
||||
@@ -150,6 +164,9 @@ jobs:
|
||||
- name: Install JS deps
|
||||
run: npm ci
|
||||
|
||||
- name: npm audit
|
||||
run: npm audit --audit-level=high
|
||||
|
||||
# `tauri build` inside check.yml would trigger the full Rust build
|
||||
# which is owned by the rust job. Here we only validate that the
|
||||
# Svelte/Vite frontend compiles cleanly.
|
||||
|
||||
Reference in New Issue
Block a user